{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35475", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.453Z", "datePublished": "2026-04-06T21:17:04.964Z", "dateUpdated": "2026-04-06T21:17:04.964Z"}, "containers": {"cna": {"title": "WeGIA - Open Redirect - backup redirection \u2014 Unvalidated $_GET['redirect']", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qfpg-6jh6-jx6p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qfpg-6jh6-jx6p"}], "affected": [{"vendor": "LabRedesCefetRJ", "product": "WeGIA", "versions": [{"version": "< 3.6.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:17:04.964Z"}, "descriptions": [{"lang": "en", "value": "WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header(\"Location: ...\") call. This vulnerability is fixed in 3.6.9."}], "source": {"advisory": "GHSA-qfpg-6jh6-jx6p", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header(\"Location: ...\") call. This vulnerability is fixed in 3.6.9."}], "id": "CVE-2026-35475", "lastModified": "2026-04-06T22:16:24.340", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:24.340", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-qfpg-6jh6-jx6p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-07T02:01:15.050128+00:00", "value": {"mitigation_remediation": ["Apply update to WeGIA 3.6.9 or later."], "summary": {"action": "Immediate Patch", "impact": "Open Redirect via unvalidated redirect parameter"}, "threat_synthesis": {"affected_systems": "The flaw exists in the WeGIA web manager from LabRedesCefetRJ. Versions prior to 3.6.9 are affected; the vulnerability was addressed in the 3.6.9 release.", "description_and_impact": "The vulnerability allows an attacker to supply an arbitrary URL via the 'redirect' parameter, which the application forwards in an unvalidated HTTP redirect. This open redirect can be abused for phishing, click\u2011through fraud or to obscure malicious links, but it does not constitute remote code execution or privilege escalation. The weakness corresponds to CWE\u2011601, representing an insecure link generation that fails to validate the target.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. No EPSS or KEV data is available, suggesting limited known exploitation activity. The attack vector is remote, triggered by any user able to visit a crafted URL containing the redirect parameter. Because the payload is simply a URL redirect, exploitation does not require authentication and can be performed by anyone who can influence user traffic."}}}}, "created": "2026-04-07T06:53:58.811487+00:00", "updated": "2026-04-07T06:53:58.811511+00:00", "vendors": []}